GET YOUR VULNERABILITY AND THREAT DATABASE SUBSCRIPTION
EKOLABS 2016


Mobile Apps

Published on May 4th, 2013 | by NJ Ouchn

29

Building my own PwnPad Community for fun and for less than $300

Building my own PwnPad Community for fun and for less than $300 NJ Ouchn
Purpose - 80%
Audience - 100%
Technical Coverage - 90%
Hacking - 70%

Summary: A commercial grade penetration testing tablet providing unprecedented ease of use in evaluating wired and wireless networks. The sleek form factor of the Pwn Pad makes it an ideal product choice when on the road or conducting a company or agency walk-through

86%


User Rating: -2.4 (169 votes)

More than 1 year ago, i have posted an entry about a hardware for doing pentesting. It was the PwnPlug by Pwnie Express folks. Since, the guys have improved a lot their hardware and released new stuff. One toy that caught my attention was the PwnPad.

PwnPad is the art of turning a Tablet, actually Google Nexus 7 tablet, into a pentesting machine.

Here is the commercial PwnPad description as it comes in PwnieExpress website

A commercial grade penetration testing tablet providing unprecedented ease of use in evaluating wired and wireless networks. The sleek form factor of the Pwn Pad makes it an ideal product choice when on the road or conducting a company or agency walk-through. This high-speed, lightweight device, featuring extended battery life and 7” of screen real estate, offers pentesters an alternative never known before.

Core Features:
  • Android OS 4.2 and Ubuntu 12.04
  • One-touch Pentesting
  • Large screen, Powerful battery
  • OSS-Based Pentesting Toolkit
  • Long Range Wireless & Bluetooth

Included Accessories:

  • TP-Link High-gain 802.11b/g/n USB wireless
  • Sena High-gain USB Bluetooth
  • USB-Ethernet adapter (for wired networks)
  • USB OTG cable (for USB host-mode)
  • Protective tablet case

BUT, there is always a BUT. The price is a bit higher ($895.00 USD) but justified: The amount of work, all the effort, the innovative approach etc. And it deserved it. Besides, the folks at PwnieExpress provided a less costy way to build your own pwnpad. In fact, the community release of their software images are freely downloadable.

Building your own PwnPad is possible. Despite my legendary laziness, i did it. So you can. And here is how ..

Needed Hardware

The full original list provided by PwnieExpress Team is here. So i rely on it to understand the process before shooting my Nexus 7.

When i started my installation here is the list of the hardware i had.

  • Backtrack 5.2 Linux. PwnieExpress recommend Ubuntu 12.04. But with some tricks you can rely on BT.
  • Nexus 7 Tablet with 32 G Wifi + Mobile Data. Beware, the installer for now supports only this model.
  • A micro USB OTG to USB 2.0 adapter. Actually, i bought one from Amazon for 5$ ( Here is the one i got KooPower TM Micro USB OTG )
  • Trendnet TU2-ET100 Adaptateur USB 2.0 Ethernet 10/100 for almost 20$ (here is the link)
  • A 8 GB USB key formatted with NTFS. I used one i got at home and formatted to NTFS.
  • A TP – Link TL – WN 722 N USB adapter for almost 15$ . For WiFi hacking. But i did not received yet.(so no injection for me now)
  • Sena High-gain USB Bluetooth. I love hacking with Bluetooth especially with all those dorks in subway with their loud music wireless earphones. But did not receive mine yet. The Sena is a bit costy (around 50$)
  • Jammy Lizard Aluminium Bluetooth Keyboard bought on Amazon for 25$. When you have to do something, do it with some class 😉

2013-05-04 10.40.11

Google Nexus 7 Mobile + Bluetooth keyboard (before pwning)

2013-05-04 10.39.19

micro USB OTG to USB 2.0 adapter

2013-05-04 10.39.33

Trendnet TU2-ET100 Adaptateur USB 2.0 Ethernet 10/100

 

Preparing Software  

Backtrack 5.x with Ubuntu 12.04 source lists (if you have an Ubuntu 12.04, skip this)

 USB dongle NTFS Formatted

Any 8GB USB dongle could be used for the installation. As for myself, i used a very common USB key that i formatted with my Win XP. Lifehacker folks gave the method. So follow it !

It worked for me.

 Installation Steps

PS : Stick the instructions in front of you http://cdn.shopify.com/s/files/1/0159/6468/files/PwnPadCommunityEditionInstallationGuide.pdf 

1  – Starting the extract script

Just follow the instructions (Extract the package & run the installer script)  given with http://cdn.shopify.com/s/files/1/0159/6468/files/PwnPadCommunityEditionInstallationGuide.pdf 

While the script was running, i was prompted to confirm the android package. Do not panic. Just say yes. Here are the warnings sample :W: GPG error: http://ppa.launchpad.net precise Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 5C5364B55E51A24C

WARNING: The following packages cannot be authenticated!
android-tools-adb android-tools-fastboot
Install these packages without verification [y/N]? y

2  – Everything is good.

If everything worked as expected, you should be prompted to supply the USB location

Enter the device name of the locally-attached USB flash drive containing the TWRP folder (in /media/) Example: usb1: 144E6FEE4E6FC758

_____      ___  _ ___ ___   _____  _____ ___ ___ ___ ___
| _ \ \    / / \| |_ _| __| | __\ \/ / _ \ _ \ __/ __/ __|
|  _/\ \/\/ /| .` || || _|  | _| >  <|  _/   / _|\__ \__ \
|_|   \_/\_/ |_|\_|___|___| |___/_/\_\_| |_|_\___|___/___/

=== Pwn Pad Installer Release 4.10.2013 ===
A Mobile Pentesting platform by PwnieExpress.com

Please review the Pwn Pad Installation Guide before proceeding:
http://pwnieexpress.com/pages/community-downloads

————————————-
WARNING: THIS WILL WIPE ALL EXISTING DATA FROM YOUR NEXUS TABLET!
Pwnie Express is not responsible for any data loss resulting from
using this installer. Backup any important data before proceeding!
——————————————————————-Press ENTER to continue, CTRL+C to abort.Step 1. Boot your Nexus 7 into fastboot mode by holding the power button and Volume-Down button at the same time.Step 2. Attach your Nexus 7 to your Linux computer using the stock micro-USB cable that came with the Nexus.Step 3. If not already done, attach the USB flash drive containing the TWRP folder to your Linux computer.Press [Enter] key to continue…Doing md5sum check on the PwnPad image on usb drive to check for corruption…boot.emmc.win: OK
data.ext4.win000: OK
data.ext4.win001: OK
system.ext4.win: OKmd5 checksum passed.  Proceeding.Unlocking devicePlease hit the power button once on the device to select YES2013-05-04 12.39.40
(bootloader) erasing userdata…
(bootloader) erasing userdata done
(bootloader) erasing cache…
(bootloader) erasing cache done
(bootloader) unlocking…
(bootloader) Bootloader is unlocked now.
OKAY [ 80.531s]
finished. total time: 80.531s
erasing ‘userdata’…
OKAY [  4.911s]
formatting ‘userdata’ partition…
Creating filesystem with parameters:
Size: 30063722496
Block size: 4096
Blocks per group: 32768
Inodes per group: 8192
Inode size: 256
Journal blocks: 32768
Label:
Blocks: 7339776
Block groups: 224
Reserved block group size: 1024
Created filesystem with 11/1835008 inodes and 159204/7339776 blocks
sending ‘userdata’ (139157 KB)…
writing ‘userdata’…
OKAY [ 31.291s]
finished. total time: 36.202s
erasing ‘cache’…
OKAY [  0.084s]
formatting ‘cache’ partition…
Creating filesystem with parameters:
Size: 464519168
Block size: 4096
Blocks per group: 32768
Inodes per group: 7088
Inode size: 256
Journal blocks: 1772
Label:
Blocks: 113408
Block groups: 4
Reserved block group size: 31
Created filesystem with 11/28352 inodes and 3654/113408 blocks
sending ‘cache’ (9052 KB)…
writing ‘cache’…
OKAY [  1.843s]
finished. total time: 1.927s
Booting into TWRP

downloading ‘boot.img’…
OKAY [  0.951s]
booting…
OKAY [  0.019s]
finished. total time: 0.970s

Once device has booted into the “Team Win Recovery Project” screen, do the following in this order:

1. Disconnect micro-USB cable from the Nexus
2. SAFELY Remove USB drive from your Linux computer and attach it to Nexus via micro-USB OTG cable.
3. Tap “Restore” and select “Use External SD” (top left).  Hit the back button, then go back to “Restore”
4. Select “PwnPadv0a”, then “Swipe to Restore”

2013-05-04 12.49.05
5. Once complete tap “Reboot System” and hold down the Volume-Down button while booting
5. Once device is back in FASTBOOT mode, reconnect the Nexus to your Linux computer using the stock micro-USB cable that came with the Nexus. Then, AND ONLY THEN, press ENTER to continue.

2013-05-04 12.40.16

2013-05-04 12.45.28

Press [Enter] key to continue…
Press [Enter] key to continue…
erasing ‘boot’…
OKAY [  0.032s]
finished. total time: 0.032s
sending ‘boot’ (4942 KB)…
OKAY [  0.637s]
writing ‘boot’…
OKAY [  0.200s]
finished. total time: 0.837s
rebooting…

finished. total time: 0.020s

Device Finished!

2013-05-04 12.57.13

Testing the pwnpad

Upon rebooting, you’ll be amazed by the desktop full of the tools needed for performing pentesting. I tested everything .. almost everything except WiFi pentesting, did not received yet my WiFi Dongle for injection.

Metasploit, SET, nmap, w3af . .everything is working like a charm ….
Now waiting my 2 adapters
  • TP-Link High-gain 802.11b/g/n USB wireless
  • Sena High-gain USB Bluetooth

to test the awesomeness of pwnpad 🙂

I will post a more detailed blog about pwnpad cool stuff. Until then, PwnieExpress is full of material and great posts.

2013-05-04 13.03.11

using the bluetooth keyboard.

2013-05-04 13.18.41

Metasploit loaded …

2013-05-04 13.27.39

nmap in action …

Mishap

I tried to update metasploit. Everything worked well until the restart. Metasploit was expecting the Bundler Gem. I retrieved it and launched the install (bundle install). One of the packages (factory_girl) expected a newest ruby version. Maybe this post could help but i was too excited to play with the toy.

My version of metasploit was then screwed up. Do not panic. There is a little trick to recover metasploit or at least how i circumvent this issue to restore the original version that comes with pwnpad.

The pwnpad packages (data.ext4.win000 and data.ext4.win001) are archives files. So gunzip/untar them and browse to /ubuntu/local/opt/. Then generated a new .tar file that i transfered using the USB key.

Into the nexus, i removed the repository metasploit (rm -rf /opt/metasploit-framework) and untar the fresh version. It worked 🙂

update !!

Here is what jcran from pwnieexpress sent about this issue (see the comments)

” .. make sure your ruby is configured for 1.9.3, then run msfupdate with the following:

update-alternatives –query ruby
update-alternatives –set ruby1.9
apt-get –purge remove libruby1.8 ruby1.8 ruby1.8-dev rubygems1.8
msfupdate

 




Tags: , ,


About the Author

Principal Founder & Maintainer - Freelancer ICS/SCADA Security Expert As part of my research, I'm focusing into maintaining many projects as the DPE (Default Password Enumeration), vFeed® the open source correlated & cross-linked vulnerability database and FireCAT the Firefox Catalog of Auditing exTensions. Today, I'm the co-organizer of the major event Blackhat Arsenal Tools (US and Europe) since 2011 and since 2014 co-organizer of Rooted Warfare in Spain. I'm going by the handle of @toolswatch on Twitter and always willing to help, share and drink with friends from far and wide.



29 Responses to Building my own PwnPad Community for fun and for less than $300

  1. jcran says:

    Great post, thanks for sharing. To address the metasploit issue, you should be able to simply run ‘msfupdate’ – If this fails for some reason, make sure your ruby is configured for 1.9.3, then run msfupdate with the following:

    update-alternatives –query ruby
    update-alternatives –set ruby1.9
    apt-get –purge remove libruby1.8 ruby1.8 ruby1.8-dev rubygems1.8
    msfupdate

    • NJ Ouchn says:

      jcran,
      Thanks very very much for this. I will try it. I knew it was some issue regarding the ruby version but was really excited to play with the beast 🙂

      Anyway, you guys at pwnieexpress rock. If by any chance, you are attending the BH / Defcon, please pop up at the BH Arsenal, i will be happy to offer a beer 😉

      @toolswatch

  2. Pingback: Metasploit 4.7.0-Dev on the pwnpad | Secure Maryland

  3. Chris Branca says:

    Hi, I was wondering your thoughts on other adapters such as
    AWUS036H
    or
    AWUS036NHA
    made by alfa

    as far as range and stability, etc.i remember when the pwn pad hit slashdot/reddit from the security convention and thought kool but i could make one if i had time never got around to it then i saw your guide. would be fun for sec/pen tests

  4. Chris Branca says:

    also, follow up question: will this work on nexus 10 ? haven’t been following the droid community for awhile

    i saw the comment about it only works on 32gb nexus 7 but i imagine it would be compatible with a few mods to the image installer

    thanks in advance

  5. Chris Branca says:

    looks like nexus 8 and 11 slated soon was just curious about support for the newer models before i go and expense into an older version of the tablet as im so late in the game when it comes to building one.

    Nexus 8: Release Date, Specs, Price, Rumors About Asus’s New Google Nexus Tablet [REPORT]
    Nexus 8 Release Date Expected To Be Q4 Of 2013, October Or November

    src:
    http://www.idigitaltimes.com/articles/18724/20130709/nexus-8-release-date-specs-price-rumors.htm

    Nexus 11 release date
    Nexus 11: Release Date, Specs, Other Rumors About Samsung’s New Google Nexus Tablet [REPORT]
    src:
    http://www.idigitaltimes.com/articles/18665/20130704/nexus-11-release-date-specs-rumors-samsung.htm

  6. Andrew says:

    Does it matter if we use the 2012 or the 2013 version of the Nexus as long as its wifi+mobile and 32GB?

    • NJ Ouchn says:

      Does not matter. As i used myself the 2013 version.

      @toolswatch

      • jackson says:

        so, if it works with the 2013 version… what else can you change? e.g. do I need mobile data? dose it need to be 32 GB or can it be bigger?

        Thank You 🙂

        • NJ Ouchn says:

          Maybe you should get in touch with pwnie folks as they are behind the community release. I have just tried to build mine from scratch and it works for me.

      • vermi pradesh says:

        NJ, just to clarify. You have successfully tried this method on the Nexus 2013 besides the one on the photos (w/c, I’m quite sure, is the 2012 version)?

      • BeNe says:

        Hi NJ Ouchn,

        just for my understanding.
        You run your Nexus 7(2013) LTE Version(a.k.a “deb”)
        as PwnPad with the same install path as described here?
        No need for a new Kernel or Update?
        The TWPR Backup only runs under the 2012 Version or not ?

        I started a thread at the pwnpad forum about the Nexus 7(2013)
        –> http://w11.zetaboards.com/Pwnie_Express/topic/9102405/1/

        • NJ Ouchn says:

          exactly … no need to new kernel.

          • NonPublished says:

            NJ Ouchn,

            What would you charge me to set up one, complete.

            Cannot afford new one, but may pay $500 for perfect set up?

            Can you help?

            I bought a nokia 900 phone with this software but cannot see the screen after eye surgery.

          • NJ Ouchn says:

            Hi,
            Sorry this i cannot do. First because, i was doing this for fun not for making money and secondly pwnieexpress is selling the product. To respect their work, i cannot sell any pwnpad … just try to do it …it is a lot of fun … give it a try

  7. Chris Branca says:

    i thought there was issues with the 2013 model for pwnpad? are u running kali custom or community edition?

  8. BeNe says:

    I tried to install the pwnpad community edition on my Nexus 7 (2013) deb Version.
    After restore the image and flashing the kernel (pwnpad-bootimg.img) the device hangs on the white “Google” Logo. Had no luck to get it running.

    • aliby says:

      I am in the same boat as BeNe. I tried flashing this to my Nexus 7 2013 LTE and it would just hang at the white Google logo.

      That, and based off of the images shown in this article, leads me to believe that this was done on a Nexus 7 2012/first generation and not the newer 2013 version.

      • NJ Ouchn says:

        The best who can answer this .. are the pwnie folks. As far as i can remember, i bought mine Apr 24, 2013 .. I still got the receipt and confirmation email.

        • sohail says:

          I am in the same boat. I had to make several changes. I needed to change recovery-twrp-2.3.2.1-nakasi.img to openrecovery-twrp-2.6.3.1.img

          I also needed to modify the install script to cut the first 8 digits of the device instead of the first 16, that left me with deviceID fasboo

          I purchased mine 2 weeks ago. It’s GSM capable, just like they wanted, so I’m not sure what else I can do to get this to boot.

  9. j0k3r says:

    possible to install it on nexus 7 16gb only wifi version ? /2012/

  10. delphi7 says:

    “update-alternatives –query ruby
    update-alternatives –set ruby1.9
    apt-get –purge remove libruby1.8 ruby1.8 ruby1.8-dev rubygems1.8
    msfupdate”

    I attempted this and it deleted 1.8 but it would not set 1.9. Now metasploit locks up at the command msfconsole

    I tried msfupdate anyway and it gave me a GPG error.
    Invalid signatures NODATA1 NODATA 2

    Any ideas?

  11. delphi7 says:

    @ jok3r. Yes you can, there are tutorials elsewhere. you will need the “FLO” specific files.

  12. Claudio R. says:

    By mistake someone in my family click on the 4.3 android update icon and proceeded with the installation. Now my pwn pad community edition tablet after four to five minutes the screen goes off and it locks. After trying many times the screen goes normal, but again it locks after 30 seconds. If there is a way to fix this problem. Thank you for any help you can provide.

    • NJ Ouchn says:

      Hi Claudio.. please try to connect with pwnie folks… but they warn about not to update… I had a bad feeling that you need to reinstall everything 🙁

  13. Hackspy says:

    I installed the last kernel from pwnie express with no problems in a Nexus 7 2013 16GB Wifi only.

    Was not necesary to use the USB, I use an Ubuntu Server 12.04 with a virtual machine (but had some popups that make me some trouble when the machine restarts, so I had to be quick in closing them).

    Just that.

    Now I’m trying to connect msf to postgresql… any suggestions?

    I tried to install postgress but got some problems.

  14. ALWAYS BACKUP IMPORTANT DATA FROM YOUR TABLET BEFORE ATTEMPTING THIS
    i made a how to video for an alternative way to install a community edition kali pwn pad distro with an updated kernel that supports otg-y cable charging, ok here it is good luck
    http://www.youtube.com/watch?v=mAI0aDyOuN8

    • BTW the installation method in this video uses a program made by wugfresh that operates within a windows 7 architecture to install the community edition pwn pad with updated kernel which of coarse was made available by binky bear. THIS REQUIRES NO LINUX COMPUTER, NO COMMAND SHELL, NO USB STICK, NO REAL KNOWLEDGE OF WHAT YOU ARE DOING. LINKS TO ALL REQUIRED HARDWARE ARE IN THE VIDEO DESCRIPTION.

  15. john says:

    Here main question is. Has any one got armitage working on pwnee express in chroot .that’s the biggest question I ever want..look every where for a solution to fix this…. I appreciated if someone comes back with a answer cheers

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑